eblume/kingfisher
1
0
Fork 0
forked from mirrors/kingfisher
Code Pull requests Activity Actions

JWT tokens without both 'iss' and 'aud' are no longer reported as active credentials

Browse source
This commit is contained in:
Mick Grove 2025-08-07 17:21:16 -07:00
commit b71fb5e6e2
5 changed files with 85 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/validation/jwt.rs
View file

@ -71,7 +71,11 @@ pub async fn validate_jwt(token: &str) -> Result<(bool, String)> {
// ---------------------------------------------------------------------------
let issuer = claims.iss.clone().unwrap_or_default();
let aud_strings = extract_aud_strings(&claims);
if issuer.trim().is_empty() && aud_strings.iter().all(|s| s.trim().is_empty()) {
return Ok((false, "JWT missing issuer and audience".to_string()));
}
if let Some(iss) = claims.iss.clone() {
// parse header now (kid, alg)
let header = decode_header(token).map_err(|e| anyhow!("decode header: {e}"))?;